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(54) Mobile internet access 

(57) A method of enabling roaming of a mobile inte- 
rnet-access host (9) from a local area network (3) to a 
GSM network (6), each network having a home agent 
(HA) for routing internet datagrams between networks. 
The method comprises deregistering the mobile termi- 
nal (9) from said local area network (3) and registering 
it with the GSM network (6) and allocating to the mobile 
host (9) a new internet address in the GSM network (6). 



An internet security key is sent via the GSM Short Mes- 
sage Service from the local area network's home agent 
(HA) to the mobile terminal (9). The new internet ad- 
dress is transmitted, together with authentication data 
generated using the security key, via the internet (5) to 
the local area network's home agent (HA) which regis- 
ters that address as a care -of -address for the mobile 
host (9). 
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Description 

[0001 ] The present invention relates to mobile internet 
access and in particular to a method and apparatus for 
sending a security key to a mobile host for use in internet s 
access. 

[0002] Corporate users have traditionally accessed 
the internet from a fixed location within a Local Area Net- 
work (LAN), a user's LAN often being referred to as his 
"home" network (HN). The user interface to the internet 
is typically a personal computer (the "host"). As is illus- 
trated in Figure 1 . the home network is connected to an 
internet service provider which routes internet data, so- 
called "datagrams", between the home network and the 
internet, the internet in turn comprising other routers and 
service providers which route data to and from other 
"foreign" networks (FN). 

[0003] In order to be able to transmit and receive da- 
tagrams to and from the internet, a host requires an in- 
ternet address. A corporale home network is typically 
allocated a set of internet addresses by a national au- 
thority and the home network can assign these either 
fixedly or dynamically to hosts attached to the home net- 
work (using for example the Dynamic Host Configura- 
tion Protocol DHCP). The allocated sot of internet ad- 
dresses comprise a common prefix portion which iden- 
tifies the home network, whilst a suffix portion identifies 
the destination host. When a datagram is received by a 
home network, a router (R) of the home network polls 
the attached hosts to determine which host corresponds 
to the internet address conveyed with the datagram. The 
datagram is then forwarded by the router to the identified 
host. 

[0004] With the recent rapid advances in mobile com- 
munication technology, and in particular of wireless 
technologies, there has come a desire to gain internet 
access from mobile hosts or terminals, for example a 
laptop computer coupled to a cellular telephone. At 
present, this is available via certain digital telephone 
networks (e.g. GSM). As with conventional fixed line in- 
ternet access, a mobile host may have a fixedly or dy- 
namically assigned internet address, allocated by a 
service provider who is usually the cellular telephone 
network operator. In the case ol mobile internet access, 
a communication channel between the mobile host and 
the network is reserved for the duration of the call. Inte- 
rnet data destined for the mobile host is received by the 
network and is sent to the host over the reserved chan- 
nel. 

[0005] This system works satisfactorily whilst a mo- 
bile host remains within one homogeneous network. 
However, it does not provide for "roaming" between dif- 
ferent types of networks or between networks operated 
by different operators. When a mobile host "de-regis- 
ters" with one network and registers with a new network, 
there is no mechanism for forwarding internet data- 
grams, addressed to the old network, to the new network 
as the communication channel between the mobile host 



and the old network no longer exists. It is therefore nec- 
essary to open a new communication channel between 
the mobile host and the new network. All datagrams ad- 
dressed to the old network and not yet received by the 
mobile host are lost as a result of this channel change. 
[0006] The desire for roaming is likely to increase in 
the near future as the provision of corporate wireless 
LANs becomes commonplace. A corporate user will 
have the opportunity to make wireless voice and data 
calls from a mobile terminal via the corporate LAN whilst 
he is inside the coverage area of that LAN. When the 
user leaves that area, he will then be able to connect to 
a digital cellular telephone network. In addition, so- 
called "hot-spot" LANs are likely to be provided in areas 
where high data capacity is required, e.g. airports, shop- 
ping centres. In all probability, hot-spot LANs will be op- 
erated by the cellular network operators although they 
may of course be operated by the property owners 
themselves. 

[0007] A mobile internet access protocol which pro- 
vides for roaming is currently being standardised by the 
Internet Engineering Task Force (IETF). This protocol is 
known as RFC2002. A mobile internet protocol is also 
described in EP55601 2. These protocols make use of a 
"home agent", located in a mobile host's home network, 
to keep track of the host when it leaves the home net- 
work. A mobile host is fixedly allocated an internet ad- 
dress corresponding to the home network. 
[0008] When a mobile host is registered to its home 
network, the functionality of the network's home agent 
is off for that host (i.e. the host is "deregistered" with the 
home agent) so that the home agent does not alter the 
flow of datagrams from the internet to the network's rout- 
er and the mobile host (as indicated by reference nu- 
meral 1 in Figure 2). When the mobile host leaves its 
home network and contacts a foreign network (FN), the 
host is registered with a foreign agent (FA) of that net- 
work. The foreign agent then transmits to the mobile 
host an internet address of the foreign agent, and the 
mobile host in turn transmits the received internet ad- 
dress to the home network's home agent, together with 
a registration instruction. The home agent registers the 
new status of the mobile host and records the newly al- 
located internet address as a "care-of-address" for the 
host. Whenever the mobile host registers with a new for- 
eign network, a new care of -address is sent to the home 
network's home agent to replace the previously regis- 
tered care-of -address. 

[0009] It will be appreciated that, as a mobile host has 
a fixed internet address allocated to it, datagrams des- 
tined for the host will always be sent to the home net- 
work. If a mobile host has an active internet connection 
when it passes from its home network to a foreign net- 
work, and a datagram destined for the host subsequent- 
ly arrives at the home network, the home agent deter- 
mines that the mobile host is registered with a foreign 
agent and forwards the datagrams to the registered 
care-of-address. A communication channel will have 
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been reserved between the mobile host and the foreign 
agent, and the redirected datagram can be sent to the 
mobile host over this channel. Similarly, if a mobile host 
initiates a new internet access when registered with a 
foreign network, the host continues to use its allocated 
internet address. The home agent has already received 
the care-of -address and can again forward datagrams 
destined for the mobile host to the foreign agent for 
transfer to the host. 

[0010] In some cases, the foreign network may dy- 
namically assign an internet address to a visiting mobile 
host, e.g. if the foreign network does not have a foreign 
agent. This address is sent to the mobile host which in 
turn sends it to the home network's home agent as a 
care-of -address Rather than just merely redirecting da- 
tagrams to the care-ol-address. the home agent actually 
replaces the old internet address contained in the data- 
gram with the co- located care-of-address before re- 
transmitting the datagram. This particular form of care- 
of-address which identifies the mobile host as the "tun- 
nel" end-point for the redirected datagrams, rather than 
a foreign agent, is known as a "co-located care-of-ad- 
dress". It is noted however, that when the mobile host 
is accessing the internet via the foreign network, it still 
uses its fixedly allocated internet address. It will there- 
fore be appreciated that regardless of whether the home 
agent receives a care-of-address or a co-located care- 
of-address all datagrams directed to a mobile host pass 
through the home network's home agent (as indicated 
by reference numeral 2 in Figure 2). 
[0011] In a modification to the mobile internet access 
protocol described above, roaming of a mobile host from 
a home to a foreign network may be achieved by as- 
signing a new internet address, in said second network, 
to the mobile host when the host leaves the home net- 
work for the foreign network. This new address is then 
transmitted from the mobile host to the home network's 
home agent where the new address is registered as a 
care-of-address or co-located care-of-address for the 
mobile host. Datagrams addressed to the new internet 
address are sent directly to the mobile host via the for- 
eign network's "foreign" agent. On the other hand, dat- 
agrams addressed to an internet address previously as- 
signed to the mobile host in the home network are for- 
warded, using the registered care-of-address or co-lo- 
cated care-ot-address, from that network's home agent 
to the mobile host via the foreign network's foreign 
agent. This protocol is described below with reference 
to Figure 3 

[0012] Current proposals for mobile internet access 
protocols have in common the feature that a care-of-ad- 
dress (or co- located care-of-address) must be sent from 
a mobile host to the host's home network when the host 
registers with a foreign network. The care-of-address is 
sent via the internet, together with authentication data 
generated from an authentication key and the care-of- 
address itself (or some other component of the registra- 
tion message), where the secret authentication key is 



known to the mobile host and to the host's home net- 
work. A separate encryption key may also be used to 
encrypt other data sent between the mobile host and the 
home network. 

s [0013] A problem with this approach is that the inte- 
rnet is not necessarily a secure network and it is possible 
for third parties to intercept internet traffic. If a third party 
can also determine the authentication/encryption key 
then it may be possible for them to decrypt intercepted 

10 data. It may also be possible for a third party to send a 
false registration request and care-of-address to a mo- 
bile host's home network causing datagrams intended 
for that mobile host to be redirected to some other ter- 
minal. 

is [0014] A possible way to improve security is to allo- 
cate new authentication/encryption keys to a mobile 
host on a regular basis, e.g. every time the mobile host 
makes a new internet access request. However, as the 
new authentication/encryption key is sent via the inte- 

20 met the possibility remains that each new key may be 
intercepted and determined. 

[0015] It is an object of the present invention to over- 
come or at least mitigate the above noted disadvantag- 
es. In particular, it is an object of the present invention 
25 to provide for the secure transmission of security keys, 
for use in mobile internet access, between a mobile host 
and a home network of the mobile host, particularly 
when the mobile host is registered with a foreign net- 
work. 

30 [0016] These and olher objects are met by sending 
security keys, from a mobile host's home network to the 
mobile host, using a point-to-point packet switched serv- 
ice of a cellular radio telephone network. 
[0017] According to a first aspect of the present inven- 
ts tion there is provided a method of communicating data 
between a mobile host and a remote station over the 
internet, where both the mobile host and the remote sta- 
tion are registered with the same or different cellular ra- 
dio telephone networks, the method comprising the 
40 steps of: 

sending a security key, from the remote station to 
the mobile host, over the cellular radio telephone 
network(s) using a point-to-point packet switched 
46 service of the network(s); 

receiving said security key at the mobile host, and 
using the received key to ensure the security of sub- 
sequent data transmissions between the mobile 
host and the remote station over the internet 

so 

[0018] The present invention avoids the use of the in- 
ternet to distribute a security key to a mobile terminal. 
Furthermore, distribution is achieved using a cellular ra- 
dio telephone network messaging service which is in- 
55 herently more secure than the internet. 

[0019] In one embodiment of the present invention, 
the remote station is connected to a Local Area Network 
(LAN), the LAN being connected to the internet. The 
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said LAN is assigned as the home network of 
the mobile host so that said remote terminal is 
the home agent of the mobile host; 
the mobile host is registered with a cellular ra- 
dio telephone network which provides access $ 
for the mobile host to the internet; and 
a care-of-address is sent from the mobile host 
to the home agent over the internet encrypted 
with said security key. 

70 

4. A method according to claim 1 , wherein the remote 
station is the home agent of a cellular telephone net- 
work. 

5. A method according to claim 4, wherein the remote is 
station is designated as the home agent of the mo- 
bile host, as defined by mobile internet protocol. 

6. A method according to any one of the preceding 
claims, wherein Ihe or each cellular radio telephone 20 
network is a GSM network and said point-to-point 
packet switched service is the Short Message Serv- 
ice (SMS). 

7. Data communication apparatus comprising: 2$ 

a mobile host (9) arranged for connection to the 
internet (5) and to a cellular radio telephone 
network (6) and having first signal processing 
means (15) for encrypting and decrypting data 30 
sent to and received from the internet (9); 
a remote station (HA) arranged for connection 
to the internet (5) and to a cellular radio tele- 
phone network (6), and having second signal 
processing means (16) for encrypting and de- 3S 
crypting data sent to and received from the in- 
ternet, the remote station (HA) further compris- 
ing means for providing a security key (1 3) and 
for sending the security key to the mobile host 
(9) over the cellular radio telephone network(s) «o 
using a point-to-point packet switched service 
of the network(s); 

the mobile host (9) further comprising means 
for receiving said transmitted security key (14), 
wherein said security key may be used to se- «5 
cure subsequent data transmissions between 
the mobile host (9) and the remote station (HA) 
over the internet (5). 

so 
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Figure 1 
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Figure 3 




Figure 4 



BNSDOCIO <EP 09443O3A2 \ > 



BEST AVAILABLE COPV 



(19) 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 



(12) 



en) EP 0 944 203 A3 

EUROPEAN PATENT APPLICATION 



(88) Dato of publication A3: 

10.01.2001 Bulletin 2001/02 

(43) Date of publication A2: 

22.09.1999 Bulletin 1999/38 

(21) Application number: 99660013.6 

(22) Date of filing: 26.01.1999 



(51) mtci7: H04L 12/22, H04L 29/06, 
H04Q 7/00, H04L 12/28 



(84) 


Designated Contracting States: 


(72) 


Inventor: Turunen, Matt! 




AT BE CH CY DE DK ES Fl FR QB GR IE IT LI LU 




33560 Tampere (Fl) 




MC NL PT SE 








Designated Extension States: 


(74) 


Representative: Johansson, Folke Anders et al 




AL LT LV MK RO SI 




Nokia Corporation, 








P.O. Box 319 


(30) 


Priority: 09.02.1998 FI 980291 




00045 Nokia Group (Fl) 


(71) 


Applicant: NOKIA MOBILE PHONES LTD. 








02160 Espoo (Fl) 







(54) Mobile internet access 

(57) A method of enabling roaming of a mobile inte- 
rnet-access host (9) from a local area network (3) to a 
GSM network (6). each network having a home agent 
(HA) for routing internet datagrams between networks. 
The method comprises deregistering the mobile termi- 
nal (9) from said local area network (3) and registering 
it with the GSM network (6) and allocating to the mobile 
host (9) a new internet address in the GSM network (6). 



An internet security key is sent via the GSM Short Mes- 
sage Service from the local area network's home agent 
(HA) to the mobile terminal (9). The new internet ad- 
dress is transmitted, together with authentication data 
generated using the security key, via the internet (5) to 
the local area network's home agent (HA) which regis- 
ters that address as a care-of -address for the mobile 
host (9). 
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